Zoom has taken great lengths to assure us that the company is doing everything it can to boost the security of its popular videoconferencing and collaboration platform, including embarking on a 90-day plan to strengthen its safety and introducing new security features.
The company just took another big step by acquiring Keybase, makers of a secure messaging and file-sharing service. Zoom plans to leverage Keybase’s encryption and security expertise and integrate teams to build end-to-end encryption that can reach current Zoom scalability.
CEO Eric S. Yuan wrote about the acquisition in a blog post, calling it a key step as Zoom attempts to create a “truly private video communications platform that can scale to hundreds of millions of participants” with the flexibility to support a wide variety of uses.
“Our goal is to provide the most privacy possible for every use case, while also balancing the needs of our users and our commitment to preventing harmful behavior on our platform. Zoom Keybase’s experienced team will be a critical part of this mission,” Yuan wrote.
Yuan also writes on the current state of Zoom’s encryption, which encrypts data at each sending client device and decrypts data once it reaches the recipient. Zoom 5.0 supports encryption using industry-standard AES-GCM with 256-bit keys, but encryption keys for each meeting are generated by Zoom servers.
Other features like support for attendees to call into a phone bridge or in-room meeting systems offered by other companies will always require Zoom to keep some encryption keys in the cloud.
However, Zoom is soon creating a new solution featuring end-to-end encryption for users who “prioritize privacy over compatibility,” Yuan wrote.
Zoom will offer an end-to-end encrypted meeting mode to all paid accounts. Logged-in users will generate public cryptographic identities that are stored in a repository on Zoom’s network and can be used to establish trust relationships between meeting attendees. An ephemeral per-meeting symmetric key will be generated by the meeting host. This key will be distributed between clients, enveloped with the asymmetric keypairs and rotated when there are significant changes to the list of attendees. The cryptographic secrets will be under the control of the host, and the host’s client software will decide what devices are allowed to receive meeting keys, and thereby join the meeting. We are also investigating mechanisms that would allow enterprise users to provide additional levels of authentication.
These end-to-end encrypted meetings will not support phone bridges, cloud recording, or non-Zoom conference room systems. Zoom Rooms and Zoom Phone participants will be able to attend if explicitly allowed by the host. Encryption keys will be tightly controlled by the host, who will admit attendees. We believe this will provide equivalent or better security than existing consumer end-to-end encrypted messaging platforms, but with the video quality and scale that has made Zoom the choice of over 300 million daily meeting participants, including those at some of the world’s largest enterprises.
As we do this work to further protect our users’ privacy, we are also cognizant of our desire to prevent the use of Zoom’s products to cause harm. To that end, we will be taking the following steps:
- We will continue to work with users to enhance the reporting mechanisms available to meeting hosts to report unwanted and disruptive attendees.
- Zoom does not and will not proactively monitor meeting contents, but our trust and safety team will continue to use automated tools to look for evidence of abusive users based upon other available data.
- Zoom has not and will not build a mechanism to decrypt live meetings for lawful intercept purposes.
- We also do not have a means to insert our employees or others into meetings without being reflected in the participant list. We will not build any cryptographic backdoors to allow for the secret monitoring of meetings.
According to Yuan, Zoom will publish a detailed draft cryptographic design on May 22 and host discussions sections with experts and customers to share more details. After that feedback is integrated into a final design, Zoom will announce engineering milestones and goals for deploying the platform to users.